Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8163

Missing permission check in review coverage REST endpoint - CVE-2017-18035

    Details

    • Symptom Severity:
      Minor

      Description

      The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.

      Affected versions:

      Older than 4.5.1

      Fix versions:

      4.5.1, 4.6.0

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Last commented:
                  15 weeks, 4 days ago